1. Whereas: 


1.1 


Certificate Reference: DPA/s111/Security Service 


SECTION 111 DATA PROTECTION ACT 2018 


CERTIFICATE OF THE SECRETARY OF STATE 


by section 110 of the Data Protection Act 2018 (“the Act”) it is provided 
that the processing of personal data is exempt from certain provisions 
of the Act if the exemption from that provision is required for the purpose 
of safeguarding national security. For information, a full list of these 
provisions is provided at Annex A. 


by section 111(1) it is provided that a certificate signed by a Minister of 
the Crown certifying that an exemption from all or any of the provisions 
mentioned in section 110(2) is or at any time was required for the 
purpose of safeguarding national security in respect of any personal 
data shall be conclusive evidence of that fact. 


by section 111(2), it is provided that a certificate under section 111(1) 
may identify the personal data to which it applies by means of a general 
description and may be expressed to have prospective effect. 


2. And considering the potentially serious adverse repercussions for the 
national security of the United Kingdom if the exemptions hereafter identified were 


not available. 


3. And for the reasons set out below: 


3.1 


3.2 


3.3 


The work of the intelligence services (the Security Service, the Secret 
Intelligence Service and the Government Communications 
Headquarters) of the Crown requires secrecy. 


The very nature of the work of the Security Service requires exemption 
on national security grounds from those parts of the Act that would for 
example, limit their ability to perform their statutory functions and that 
would allow access to the Security Service’s premises by third parties. 


The general principle of neither confirming nor denying whether the 
Security Service processes data about an individual, or whether others 
are processing personal data for, on behalf of, with a view to assisting, 
working with, or in relation to the functions of the Security Service is an 
essential part of that secrecy. In dealing with requests for information or 
access under the Data Protection Act 2018, the Security Service will 
examine each individual request to determine: 


i) whether adherence to that general principle is required for the 
purpose of safeguarding national security; and 


ii) in the event that such adherence is not required, whether and to 
what extent the non-communication of any data or any description 
of data is required for the purpose of safeguarding national security. 


4. Now, therefore, |, the Right Hon Sajid Javid MP, being a Minister of the Crown 
who is a member of the Cabinet, in exercise of the powers conferred by the said 
section 111 do issue this certificate and certify as follows:- 


4.1 


4.2 


4.3 


That any personal data that is processed by the Security Service as 
described in Column 1 in the table below is and shall continue to be 
required to be exempt from those provisions of the Act that are set out 
in Column 2; 


That any personal data that is processed by any other person or body 
(“third party”), as described in Column 1 in the table below, is and shall 
continue to be exempt in the circumstances specified below from the 
provisions of the Act set out in Column 2 below; 


The specified circumstances are that the processing of personal data 
by the third party in the course of data processing operations carried 
out (a) for, on behalf of or at the request of the Security Service or (b) 
in relation to the functions of the Security Service described in section 
1 of the Security Service Act 1989, in both cases where the Security 
Service is the data controller; 


all for the purpose of safeguarding national security, provided that: 


(i) data shall not be exempt from the provisions of sections 93 and 94 of the Data 
Protection Act 2018 if the Security Service, after considering any request by a 
data subject for access to relevant personal data, determines that adherence 
to the principle of neither confirming nor denying whether the Security Service 
holds that data about an individual is not required for the purpose of 
safeguarding national security; 


(ii) data shall not be exempt from the provisions of sections 93(1)(b)-(d) and (g), 
94(1)(a)-(b), 94(2)(a)-(d) and (g) and 98 of the Data Protection Act 2018 if the 
Security Service, after considering any request by a data subject for access to 
relevant personal data, determines that non-communication of that data or any 
description of that data is not required for the purpose of safeguarding national 
security. 


Column 2 


a) Personal data processing in Data Protection Act 2018: 
performance of the functions of the 
Security Service is described in section 1 ) Secon BERN) 
of the Security Service Act 1989 including li) Section 89 
iii) Section 93(1)(b)-(d) and (g) 


but not limited to: i 
iv) Section 94(1)(a)-(b), 
v) Section 94(2)(a)-(d) and (g), 

i) Sections 96-97 

vii) Section 99(1)-(3) 

Section 119 

ix) Section 142 

x) Section 146 

xi) Section 148 

xii) Sections 149-151 

xiii) Section 154 

xiv) Sections 170-173 

xv) Schedule 13 paragraphs 1(a), (g) and 2 

xvi) Schedule 15 
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data relating to human resources 
(including recruitment candidates, 

current and former members of staff | ( 
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viii 


~ 


vetting-related data 


data relating to building and 
personnel security (including CCTV) 


data relating to commercial 
relationships 


b) Personal data processing under Part 4 


of the Data Protection Act by third parties, 
including but not limited to: 


other Government departments 
public authorities 
commercial organisations 


where that processing is: 


e for, on behalf of or at the request of 
the Security Service or in relation to 
its functions described in section 1 
of the Security Service Act 1989, 
and 


the Security Service is the data 
controller. 


Expires 


ANNEX A 


Provision 


Notes 


Section 86(1)(b) 


First data protection principle, duty to be fair and 
transparent 


Section 86(3) - 86(7) 


Remainder of the first data protection principle 


Sections 87-91 


Second to sixth data protection principles 


Sections 92-100 


Chapter 3, rights of the data subject 


Section 108 Communication of a personal data breach to the 
Commissioner 
Section 119 Inspection in accordance with international obligations 


Sections 142-154 


Commissioners notices and powers of entry and 
inspection 


Sections 170-173 


Offences relating to personal data 


Sections 174-176 


Provisions relating to the special purposes 


Schedule 13. 
1(a), 1(g) and 2 


paragraphs 


Other general functions of the Commissioner 


Schedule 15 


Powers of entry and inspection 


